My application implements LTI which receives signed requests with OAuth HMAC-SHA1. They look like:
oauth_version:1.0
oauth_nonce:0aaa53c5d8518ahh56203f5eac773023
oauth_timestamp:1497069755
oauth_consumer_key:foo-test
oauth_callback:about:blank
user_id:99
lti_version:LTI-1p0
lti_message_type:basic-lti-launch-request
oauth_signature_method:HMAC-SHA1
oauth_signature:qe5puCiqcU7UjIe/0NZ0oy4M/8c=
The request can ONLY happen over SSL (we implement no other connection options). So I'm trying to determine if there is any purpose in verifying the oauth_nonce
. I believe that the purpose of the nonce is entirely to prevent replay attacks which is already a feature of SSL.
Storing the nonce values will cost money and waste time for each user so I only want to do it if it has some value.
Is there value in storing nonces and rejecting any duplicate requests when the request is made over SSL?