I could not reproduce this situation with a similar configuration to yours and then calling either authorize or client.login methods to obtain the access token that I would then use to call /userinfo.
Verify that your code is not overriding, when calling one of the methods above, the scope set when you create the WebAuth instance. You can also make sure that any request is indeed being made with the correct set of scopes using the browser network tools to analyse the applicable request made to the Auth0 tenant.