Auth sessions are a single auth process between a user and an auth realm. As
such, they are keyed off the tuple of `(user_id, realm_id)`.
Only the realm which they belong to knows how to construct them, hence all
"load" sections require an `AuthRealm` to be extracted first.
Currently I pass in a `json.RawMessage` rather than factory initialise and
clobber public fields based on the JSON, we can always change that if need be
later down the line.
Overall, this feels really nice (when starting to add in GH auth, everything I
wanted was already there in the right place waiting for me).