I configured my passwordless Authentication Parameters like so:
{"scope": "openid email profile picture app_metadata"}
I am using the social providers + email code Lock widget. After logging in, my tokens only contain iss, sub, aud, exp and iat.
In order to align with OIDC specifications, you need to add non-OIDC claims by namespacing them through Rules:
I think I may have misunderstood the option here - I suspect the admin option controls the “email link”, and not the email code login. I set authOptions on the passwordless lock component, and now it works as I want.