Auth0 Lock use Token Rather than Password

How do I configure Auth0-Lock 10.18.0 package to not send the password in plain text but instead send a token for validation? When I look at the request being done over the wire, it has both my username and password in the payload which is typically bad practice. Here is my current config:

new Auth0Lock(result.body.clientId, configuration.getDomain(), {
          oidcConformant: true,
          autoclose: true,
          auth: {
            redirectUrl: this.storeUri,
            responseType: 'token id_token',
            audience: `https://${configuration.getDomain()}/userinfo`,
            params: {
              scope: 'openid'
            },
          },
          languageDictionary: {
            title: this.title
          },
          theme: {
            logo: this.logo
          }
        });