When a dynamic scope is possible you can require the correct permissions right away. Only if a user wants to upgrade or downgrade you should request new permissions. So: (1) user installs App; (2) authorize with required (dynamic) scope (don't forget to 'remember' this scope); (3) user approves permissions; (4) store token and scope.
Repeat steps (2) to (4) if you want to upgrade or downgrade the permissions.
HJ