oAuth Nonce validation

I’m building a web app that will use oAuth to access the API. In this case the client will sign a request with a private key and the web service will verify that signature against the public cert on record.

In order to remove man-in-the-middle issues I’ll be storing Nonce’s for a period of 10 minutes (GMT - 0005 to GMT + 0005).

I am thinking I can use a SQLite in memory db, or a dictionary or perhaps an array of Nonce objects.

I need to use 3 components for the Nonce, the oAuthToken, timestamp & nonce. I am concerned about memory management with these options where I will be deleting Nonce’s past their TTL.

Your opinions will be gratefully received.

If this is an API you control, the nonce seems unnecessary because properly validated TLS will handle MITM issues automatically.

But an in-memory SQLite database is a perfectly viable option. It’s fast enough that you’ll never notice. For example, did you know the IDE’s inspector uses one to help it determine which properties to show? If it helps you organize effectively, I would have no hesitation using it.

Thanks Thom.