There’s a few things to have in mind in this situation, in particular:
- adding
openid profile emailto thescopemeans that you want to received an OpenID Connect response (obtain an ID token) and that within the ID token you should receive information about email and profile attributes. - when having a client application (Angular) and an API (.NET) that are treated independently (each have their own record in the corresponded section of Auth0 dashboard) the token that will be used by the client application in API calls is the access token.
From the above comes that if you’re sending an access token to the API then asking to receive user information as part of the ID token won’t immediately help because you won’t be sending the ID token to the API.
In this situation, you can consider explicitly adding information to the access token through rules (OpenID Connect Scopes) or if the API is configured to use RS256 then the issued access token will also have and audience valid for the /userinfo endpoint and the API could call the user information endpoint to get the requested user information (this second option may have considerable overhead).