session: Store user AllowedBearers configuration

session: Store user AllowedBearers configuration

Don't overwrite the user provided AllowedBearers
configuration. Instead just store it at session level. So we always
will apply the bearer filter on the user input.

Obviously, this might need some more improvements on how we want
to handle the AllowedBearers behavior when the policy plugin and
the application provide a configuration. For exmaple should
we update the AllowedBearers if the policy changes or just always
show only the user input. This patch is not perfect but it
improves the situation clearly.