Passwordless id token does not contain what I ask for

I configured my passwordless Authentication Parameters like so:

{"scope": "openid email profile picture app_metadata"}

I am using the social providers + email code Lock widget. After logging in, my tokens only contain iss, sub, aud, exp and iat.

In order to align with OIDC specifications, you need to add non-OIDC claims by namespacing them through Rules:

I think I may have misunderstood the option here - I suspect the admin option controls the “email link”, and not the email code login. I set authOptions on the passwordless lock component, and now it works as I want.