For scenarios where we require management of tokens for multiple resources, we adopt the approach explained in your Duende docs Requesting access to multiple resources.

There are scenarios where we require the management of access-tokens from different issuers.

I've forked IdentityModel.AspNetCore made two commits to highlight the requirement and suggested solution.

Failing test: Succeeds_with_support_for_refresh_token_per_challenge_scheme

Passing test: Succeeds_with_support_for_refresh_token_per_challenge_scheme

The second commit is really the one of interest where you can see the update to: IdentityModel.AspNetCore.AccessTokenManagement.AuthenticationSessionUserAccessTokenStore.cs

tl;dr; retrieval and persistence of refresh tokens apply a similar treatment as is already applied to the naming of tokenName and expiresName; the difference being the ChallengeScheme is appended as opposed to the Resource Name.

var refreshTokenName = $"{TokenPrefix}{OpenIdConnectParameterNames.RefreshToken}";

if (!string.IsNullOrEmpty(parameters.ChallengeScheme))
{
     refreshTokenName += $"::{parameters.ChallengeScheme}";
}

Ideally, We'd like to get this change into a PR, pending a review from your side.

I look forward to your feedback. :)

merged.

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.