To get all groups when the claim is group overage

[Shama-K]

Is your feature request related to a problem? Please describe. If the number of groups for the user goes over a limit (6 for SPA, 150 for SAML, 200 for JWT) then an overage claim is returned. It requires additional graph call to get the groups.

Describe the solution you'd like To get all the groups the user belongs to in the groups claim when number of groups goes over the limit.

[jmprieur]

@jennyf19 @pmaytak @henrik-me FYI, Shama has already done some work in this space which is a big pain for customers who don't understand why sometimes there is something in groups, and why sometimes not. Shama's work leverages the Graph SDK (which is adding a dependency, but, this way we could also add the AddMicrosoftGraph() command which is in the templates for the moment, so that might be a good idea) Let's discuss this. I'm all for this feature

[hajekj]

Hi, I drafted this feature in #846, would it be sufficient - @jmprieur / @Shama-K ?

I believe it doesn't make sense to pull all user's groups at once, it will be very inefficient, and won't cover the transitive membership scenarios. Since the groups will end up being stored in the identity ticket, eventually the Identity cookie which would result in following issue: https://hajekj.net/2017/03/20/cookie-size-and-cookie-authentication-in-asp-net-core/