Custom Claims Identity management in the MVC application

Question

We have implemented Azure AD authentication using OpenID-Connect in our MVC application and enable the roles management in the application using managed Roles-Claims.

Now, we have got into a new trouble to manage the claims in the application since the claims count is very high.

SQL DB: 1) Master Claims Table 2) Roles Table 3) RoleID - ClaimID mapping table 4) UserClaims Table - This is where userid and roleid mapping will be maintained

C#:

var identity = new ClaimsIdentity(new[] {

        new Claim("UserMgt:Maintenance", "True"), 
        new Claim("UserMgt:Add", "True"), 
         new Claim("UserMgt:Add", "True")
},
    "ApplicationCookie");

. . .

We are not sure if that will slow down the performance. We host the application in Azure and thinking of storing the claims in the rediscache as soon as the user has logged in and then provide the access in each page/module by reading the corresponding claims in every page.

Let us know if you have any better suggestions.

Thank you

Answer 1

On login claims are stored in cookies. So reading claims from cookies is pretty quick does not require access to your database.

However cookie size can be a problem. If you put too much data into a cookie, requests will become overbloated. A single cookie can be up to 4Kb with total up to 16Kb of headers (browser dependent). So if you are hitting that limit, it is worth reconsider what you are doing with claims. (Imagine an AJAX request that posts 20 characters to get 201 request, but lugging about 16Kb of headers over the network).

Obviously claims are encrypted in the cookie, but ratio of data increase is about 1.1. Ie for 1Kb of data in claims you'll get about 1.1Kb of actual cookie size on the wire (that is from my experiements with cookie sizes when I was exploring the same issue)

If you are not hitting these limits, I'd say not to worry too much about it.