Look into this issue

[stefandesu]

I stumbled upon the following line in the code: https://github.com/gbv/login-server/blob/071362c7cd08aeea5d8c55c047b563a96a46e4b7/utils/index.js#L81

Apparently, I decided that identities should not be included in the user data inside the JWT. But there's two issues with this:

1. identities is necessary for jskos-server to correctly figure out a user's identity if the user has multiple identities.

2. It actually does NOT omit identities from the user object for some reason, even though lodash's omit definitely works in general. 🤔

Very curious issue, not too important though.

[stefandesu]

Why I decided that identities should not be include: I have no idea. That was leftover code from the very first commit introducing JWTs. But I know for a fact that our applications would break without identities, so I removed it.

Why _.omit did not work: user was not a plain object, but a Mongoose object from the database. For some reason, _.omit does not work on those objects. Even though I removed the omission, I still added code to convert it to a plain object if necessary.