Access token has been evicted due to a login elsewhere

Hi there,
I was wondering if you guys could confirm something around monzo access tokens for me.

My token is becoming “evicted” when I make a request from a computer different from the computer used to go through the oauth flow.

Error message: “Access token has been evicted due to a login elsewhere.”

Can you please confirm how this is becoming evicted i.e is the i.p address of the original request being logged and used to validate this has come from the same machine and if this is the case can you please confirm if there are any access token types available which allow for logins from different machines.

As I understand it each time you get an access token all previous tokens for that user and your client ID are revoked.
Presumably having a shared token store between Computer A and Computer B would solve this. As would getting a different app for each computer.

1 Like

Thanks for the reply Robert, In this use case I would like to generate the token on computer A, and then make an api request for data on computer B (using the token generated on computer A). I’m not sure having a token store would solve this as it seems that Monzo adds the IP address as a claim to the token or something and unless the request comes from the same IP address the token was generated from the token becomes evicted.

Is there a reason computer B can’t request the token itself?

yes, it has to follow the process mentioned above.

I’m not sure what you want to do is possible, it sounds like something that would deliberately be blocked from working in that way so as to protect against hijacking or MitM attacks.

Thinking aloud here, steps of authenticating:

  1. User gets link from Computer A and enters details into monzo. Given this is designed to work with Computer A being a web server the only way for monzo to get the IP would be to trust the referer and do a reverse DNS lookup. They probably don’t. They would however know the user’s as that’s the machine making the request.
  2. User gets a redirect from monzo back to Computer A, again monzo can’t get the IP unless they choose to do a DNS lookup which they probably don’t. I assume having the redirect go to Computer B is pit of the question.
  3. Computer A uses information passed on the last redirect to get an access token from monzo. At this point they can get the IP as it’s computer A making the request.
  4. Presumably you pass the token from Computer A to Computer B using a secure method of transfer.
  5. Computer B tries using the token and breaks it for both Computer A and Computer B.

If computer A doesn’t need to keep access then I’d try transfering the information at step 3 not 4.
If computer A does need to keep access then I’d suggest you’d either need to apps (and therefore 2 authentications) or to use one of them as a proxy for the other.
If it is being locked to an IP (or more likely IP range to account for your app moving servers in a cloud provider setting) then I can’t see another way around.

Just to note that I recently tried my token from my laptop at my Dad’s home (giving me a completely different IP to what I have at home) and all worked fine. So perhaps HoldenCarver you’re looking in the wrong place?

1 Like

Just a thought, given each refresh token can only be used once you’re not trying to use the same refresh token from computer A and computer B are you?