How do you guys deal with JWTs that exceed the default request header limit size in IIS (7kb)? For example, some of our user's have JWTs that are around 175kb due to the amount of claims in them.

I've looked into using GZIP Compression but it seems somewhat unnatural to tell a client that they need to compress a JWT before sending it along with their HTTP Request to a protected resource. Also, I've done a few tests and I seem to get different values when I GZIP and then ToBase64String a JWT in C# versus other languages such as Python.

I know I can change the header size limit in IIS but isn't that a security concern? Also, I could try to limit the amount of data in my JWT claims but I was hoping to avoid that if possible.

Any insight into this is greatly appreciated. Thanks!