can oathkeeper add AuthenticationSession fields into the body of a "remote" style authoriser or only the headers? It is not a major problem for me, it just feels that a block of json in the body is a "cleaner" way to pass the information ...