client.login method in the latest Auth0.js uses the
/oauth/token endpoint available as part of the latest authentication and authorization API feature set (aka this endpoint is not a legacy authentication endpoint and as such strictly conforms to OpenID Connect and OAuth2 specs).
When you consider the above with the fact that
identities is not a standard OIDC scope then the behavior you’re obtaining is explained and expected. If you’re still using legacy authentication flows the recommendation would be to move to the new flows and stop relying in non-standard behavior like controlling the contents of the ID token using non-standard scopes.
With the latest flows you can still add additional information to the ID token, you’ll just need to do it explicitly through a rule instead (see the reference docs for additional information).
If at this time, you cannot yet upgrade to the latest flows then you may need to constrain your usage solely to the legacy endpoints (this may mean using SDK version that are not latest and/or direct calls to the authentication API). In particular, you can also perform a username/password login in a similar manner to
/oauth/ro which is a legacy endpoint.