Receiving two different access tokens with different scopes?

Hopefully someone can point me in the right direction here.

Current a user can login to our application and the resulting access token (and any acquired later with a refresh token) contain the appropriate scopes. What I’m trying to do now is permit the application to acquire a separate access token + refresh token at the same time with a limited set of scopes.

Imagine a mobile application where a user logs in and grants the application full access to the resources so that it can function as needed while the user is interacting with it. But imagine the application can continue to run in the background and we’d like it to only have read-only access to those resources in that scenario.

Are there are options / best practices for tackling this use case?