Awesome, thank you!
The key fix was the scope needs to be passed to the authorize url value (I also updated all my oauth2 json values to match what you have above once I was getting a json result back from Auth0).
Rather than adding the scope directly to the URL though, there actually is somewhat recent addition to the discourse oauth2 basic plugin that adds a scope field to the site settings, so that you can have these settings:
oauth2 authorize url : https://[tenant].auth0.com/authorize
oauth2 authorize options: scope
oauth2 scope: openid profile email
Sorry for the trouble here, my old Auth0 account still works without adding the scope fields to the auth url, but my new Auth0 account (and everyone elses!) needs them. Looks like this is in the auth0 oauth2 docs, so I probably should have read them!
scope: A space-delimited list of permissions that the application requires.
Notice that we included three values at the scope param: openid, profile (to get name, nickname and picture) and email (to get the email claim).