I have it working. In case this is helpful for anyone else I used the following setup. Next call /userinfo to validate your token.
realm is the name of the dB connection name under ‘connections’
also under your ‘applications’ under advanced enable grant-type of password
under that tenant set a user with Username-Password-Authentication credentials
scope: “openid profile email”
With this I get back a access_token and id_token. I send the access token to the /userinfo and get back user details.