Why is auth.js not giving me the scope I asked for?

I see here

It isn’t offered so now I need to know how to get it from the server. I reconfigured using OpenId connect instead and now I try to get a client_credential with scope read:user_idp_tokens read:users but I get…

{
    "error": "access_denied",
    "error_description": "Client has not been granted scopes: read:user_idp_tokens, read:users"
}

So I remove the scope and when I try to use the token to get the /user endpoint I get…

{
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Invalid token",
    "attributes": {
        "error": "Invalid token"
    }
}