I just reviewed that configuration and there’s a few things to point out. The use of audience in Lock implies the use of oidcConformant which implies cross-origin authentication and also means that popup mode is not supported. In addition, the audience parameter is set at the auth level so setting it at the params level is not supported. Finally, with that configuration Lock is using legacy flows which means that a responseType of token with an openid scope will still issue an ID token which I indeed obtained in my tests. I’ll add a few links to docs on a subsequent comment.