How to issue a long lived read only token with IdentityServer 4

Question

I am thinking about how I can set the following up.

1. API (storage API) that allows access to files
2. Portal Page (SPA using implicit grant)
3. identity server

Such the user signs in to the portal by the implicit grant. The portal now has a short lived reference token as per this client configuration in identity server.

new Client
{
    ClientId = "Portal",
    ClientName ="Portal",
    ClientUri = "https://example.com",
    AllowAccessTokensViaBrowser = true,
    RequireClientSecret = false,
    RequireConsent=false,
    AccessTokenType = AccessTokenType.Reference,                 
    AllowedScopes =
        {
            IdentityServerConstants.StandardScopes.OpenId,
            IdentityServerConstants.StandardScopes.Profile,
            IdentityServerConstants.StandardScopes.Email,
            "api1"
        },
    }
    ...

I then want the user to be able to be presented by a public access token that he can include in permalinks to his files to share with friends, as well as also be able to create new tokens and revoke them again on his demand. But these tokens should be read only.

I been reading a bit up about long lived reference tokens, and came to the conclussion that this is what i need. But I dont want to change the above client used for the interactive flow with the user, due to that I want their tokens to be shortlived.

What do I do?

1. Do i create a new client registration ClientId = Portal1 and set the AccessTokenLifetime = infinity ?
2. Something else?

For the read only part. Right now allowed scopes have just "api". Is this where i would create multiple scopes for different access policies.

1. https://example.com/storageapi/read
2. https://example.com/storageapi/write
3. https://example.com/storageapi

one reason why I dont think this is the proper place is that when setting up authentication for the api, it looks like

services.AddAuthentication().AddIdentityServerAuthentication((options) =>
{

    options.Authority = opidc.Authority; 
    options.RequireHttpsMetadata = true;

    options.EnableCaching = false;
    options.TokenRetriever = StorageServiceMiddleware.TokenRetriver;

    options.ApiName = "api1";
    options.ApiSecret = "secret";
});

and i get the impression that ApiName is singular and not really intended to handle multiple types of scope for read and write. So how do i configure this in aspnet core with the authorize handlers?

Again the goal here is to make a service where the user can create and revoke tokens such 3th party services can consume resources on behalf of the user.

Update Extension Grants

If creating a seperate client for the long lived reference tokens, one could create an endpoint that uses a extension grant to create a long lived token from the short lived token. Does this make sense?