Hi ppinkney,
You state that "the verified email address and nonce will be included in the identity token for subsequent authorization requests". Does this mean that if the user chose to hide their email address, it won't show up in the identity token?