Given this architecture, my question is about checking the request token data from first step to the one returned by Twitter in callback url (second step).
The data from request token step, namely oauth_token string is what I would like to store on client side in browser using sessionStorage (as unencrypted data), So I can check that request token from first step matches the one from second.
Now I’ve read the OAuth 1.0a specification and didn’t find anywhere this requirement of checking the request tokens from first and second step so it must not be a security issue(?). Further, I tried to abuse this request token in various ways and Twitter acted safely by responding with ‘bad authorization data’ and so on.
Also the twitter docs for implementing the 3-leg with /oauth/authorize no where mentions this checking tokens thing, while docs for 3-leg with /oauth/authenticate or the ‘sing in with twitter’ clearly states this like so:
“Your application should verify that the token matches the request token received in step 1”
So, is this a SHOULD or a MUST thing? Im currently thinking of implementing the matching tokens (oauth_token) from first and second step by leaving it unencrypted in sessionStorage so it can survive redirections in "SPA " cases (single page apps), and Site cases where redirection lands on a different page.
Hence it could be a convenient automated process (leaving the user out of it).
What do you think about this?
Edit: Pls, any feedback appreciated! Is my question too dumb/low effort , what is it ?