We have been migrating couple of projects to ASP.NET Core 2.0 recently. Amongst the major changes in ASP.NET Core 2.0, probably the biggest change has been done in the Authentication. I have written an article about cookie size in ASP.NET Core which explains the basic issue with too many claims in the identity. ASP.NET Core 2.0 OIDC addresses this by removing some of the token values from the identity on the background.
When I was writing a web application with ASP.NET Core with Azure AD and Microsoft Graph, I ran into a very interesting issue – the identity cookies would get really large (8 kB or more in chunked authentication cookies) and therefore all the requests to the site would contain this much data in headers. This was bearable because it just “worked” but then I tried accessing the site from Safari on a MacBook or an iPhone and the server would return errors when trying to rebuild the user’s identity.