Managing Permissions with Azure AD B2C

Question

I want to use azure active directory B2C in my application. I will have a lot of permissions like for example a certain user is allowed to read a table/write to the table etc. This could be hundreds of permissions if not thousands if the applications gets bigger. Should I use claims for this or would it be better to store this in a database?

Is there a limit on the amount of claims? Are there downsides of using too many claims (like Kerberos token bloat in active directory on premise)?

Answer 1

Yes, there is a limit to the amount of claims you can send. Claims are sent in the token which is included in the request header. Both browsers and web servers have a max header size.

• For browser limits see: Can HTTP headers be too big for browsers?
• For web server limits see: Maximum on http header values?

Also, since you need to include the token in every authenticated API call, you'd be bloating every request adding unnecessary latency to your application.

Note: This is not specific to Azure AD B2C.