Is it no longer still just a case of simply exchanging an authorization code for an access token, like back when I was a lad?
But now instead of that process returning a token with which you can ask for a profile, i.e. the actual email to determine who just logged in.
Now the process is that auth0 gives a user object identifier, and than a service-to-service API goes and looks up the information. And that seems to require a different service API credential, which is a JWT, and that has lots of claims and grants that need configuring, the JWT unpacked, and then the contents can be used as another token to another API that will return the user information.
So it's gone from a couple of simple API calls, to a very complex multi-actor scenario with JWTs thrown in for good measure.