Why is auth.js not giving me the scope I asked for?

I have the following code…

script(type="text/javascript")
  | var webAuth = new auth0.WebAuth({
  |  domain: '#{domain}',
  |  clientID: '#{clientId}',
  |  responseType: 'token id_token',
  |  redirectUri: '#{redirect}',
  |  audience: '#{audience}',
  |  scope: "openid email profile read:user_idp_tokens"
  | });
  | webAuth.authorize();

In the callback url I get the JWT access token. Next I try to call /api/v2/users/ with the token I just received and the userid of the user the token is associated with but I get…

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "Insufficient scope, expected any of: read:users,read:current_user,read:user_idp_tokens",
    "errorCode": "insufficient_scope"
}

But I asked for a token with that scope so I am confused.

I see here

It isn’t offered so now I need to know how to get it from the server. I reconfigured using OpenId connect instead and now I try to get a client_credential with scope read:user_idp_tokens read:users but I get…

{
    "error": "access_denied",
    "error_description": "Client has not been granted scopes: read:user_idp_tokens, read:users"
}

So I remove the scope and when I try to use the token to get the /user endpoint I get…

{
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Invalid token",
    "attributes": {
        "error": "Invalid token"
    }
}