Catch22: Having trouble getting a JWT from the Lock

Using the lock with config:

const lockOptions = {
      auth: {
        params: {
           audience: 'spring-boot-jwts',
           scope: 'read:sample profile',
         }
      },
       hashCleanup: false,
    }

but I get a non-JWT access token.
But a user-credentials post gets me a JWT token:

curl --request POST   --url 'https://<mydomain>.auth0.com/oauth/token'   --header 'content-type: application/json'   --data '{"grant_type":"password","username": "<username>","password": "<password","audience": "spring-boot-jwts", "scope": "read:sample", "client_id": "<clientid>", "client_secret": "<secret>"}

The docs seem to indicate that I could turn on OIDC compliance, I would get JWTs again, but if I turn on OIDC compliance, I get errors that: “Password login is disabled for clients using externally hosted login pages with oidc_conformant flag set.”

Is there a good example to login with the Lock on an SPA and get a JWT access token provided?

For flexibility of having a single login experience for multiple clients, and SSO support, we recommend using the hosted login page. In this case, you can simply call the auth0js authorize(), which will trigger the redirect to the hosted login page to handle authentication. This is also an OIDC compliant flow, which will issue JWT access_tokens for password logins.

So, if you want to issue a JWT for your API to validate, you can’t use the Lock?