Session tokens must always contain clientId, userId (if any) and the list of allowed permissions

Right now we are generating two kind of session tokens:

For the admin user, with a payload like:
```
{
"id": "admin",
"scope": "admin"
}
```

For regular users, with a payload like:

{
"id": {
"opaqueId": "facebook_id",
"provider": "facebook",
"clientKey": "02e9c7"
},
"scope": "user"
}

Session tokens must always contain a client key, a list of allowed permissions, and may have or may not have a user associated. So we should end up with:

Anonymous session tokens:

{ 
"clientId": "1234567890987654321",
"scopes": ["sensorthings"]
}

User session tokens:

{
"clientId": "1234567890987654321",
"userId": {
"opaqueId": "facebook_id",
"idp": "facebook"
},
"scopes": ["sensorthings"]
}

The list of permissions is tbd in #53

mozilla-sensorweb / sensorweb-server

Session tokens must always contain clientId, userId (if any) and the list of allowed permissions #68