The oauth/token endpoint is compliant with the OpenID Connect specification. As per the OIDC-compliant pipeline, only a small number of attributes are marked as standard claims and only these will be returned in the token, like the openid email you are seeing. Any additional claims need to be added by manual mapping and following a namespaced format to avoid possible collisions with standard claims. These custom claims can only be added using a Rule. The rule will look something like this:
function (user, context, callback) {
var namespace = 'https://example.com/';
context.idToken[namespace + 'user_metadata'] = user.user_metadata;
callback(null, user, context);
}