Storing the data from request token step (security concerns)



Im writing a lib in javascript that handles Twitter’s 3-leg OAuth 1.0a . I have all 3 steps (legs) working (soon it will be in beta). I used client-server architecture to implement OAuth. Before you start yelling, I will say that the client part involves only in making needed OAuth strings (signature base string, authorization string) but leaves out sensitive data like consumer_key and signature. The server code inserts this left out sensitive data in strings appropriately, and sign the request. So server mostly acts as a signing/stamping authority and client does the OAuth strings lifting.

Given this architecture, my question is about checking the request token data from first step to the one returned by Twitter in callback url (second step).

The data from request token step, namely oauth_token string is what I would like to store on client side in browser using sessionStorage (as unencrypted data), So I can check that request token from first step matches the one from second.

Now I’ve read the OAuth 1.0a specification and didn’t find anywhere this requirement of checking the request tokens from first and second step so it must not be a security issue(?). Further, I tried to abuse this request token in various ways and Twitter acted safely by responding with ‘bad authorization data’ and so on.

Also the twitter docs for implementing the 3-leg with /oauth/authorize no where mentions this checking tokens thing, while docs for 3-leg with /oauth/authenticate or the ‘sing in with twitter’ clearly states this like so:
Your application should verify that the token matches the request token received in step 1

So, is this a SHOULD or a MUST thing? Im currently thinking of implementing the matching tokens (oauth_token) from first and second step by leaving it unencrypted in sessionStorage so it can survive redirections in "SPA " cases (single page apps), and Site cases where redirection lands on a different page.
Hence it could be a convenient automated process (leaving the user out of it).

What do you think about this?

Edit: Pls, any feedback appreciated! Is my question too dumb/low effort , what is it ?