Scope not affection access_token only id_token

I’m working with the quick guide Symfony PHP. While intercepting the responses in the Auth0 flow I discovered something I dont quite understand. The bundle is configured to use scopes

scope: "openid email"

And right enough if I inspect the id_token on it only showed the scoped details of the user. What is baffling is I also see an object derived from the class HWI\Bundle\OAuthBundle\OAuth\Response\PathUserResponse that contains the whole user profile. All data available. When I try calling the https://{{auth0_domain}}/userinfo with the access_token I get the whole user profile and not the scope I would expect from an access_token with scope. Am I missing something? I thought scopes limited the data returned from using an access_token.

Calling https://{{auth0_domain}}/tokeninfo with the scoped id_token seems to return the whole user as well.

If you’re making your authentication requests as per the OIDC compatibility mode then the information returned within the ID Token and as part of /userinfo will conform to that specification and as such honor the OIDC scopes you requested. Have in mind that /tokeninfo is a custom endpoint, not specified under the OIDC specs and as such it’s out of scope for this analysis.

If you’re receiving a response from /userinfo that includes more information than the one you requested through OIDC scopes then the likely cause is that the original request and resulting tokens were not issued as part of an OIDC compliant flow. You can see the link above for the ways to ensure you get OIDC compliant behavior in the ID Token and /userinfo endpoint.