Suspended users who have not agreed to the most recent AUP end up in a (SURFconext) black hole (aka: end up in a login loop). This scenario turns out to be fairly frequent, as particularly the users who are suspended also haven;t logged in in quite a while (ergo, probably agreed with an older AUP, or none at all).
The flow is:
login
eduteams
/api/users/resume_session endpoint, user logged in correctly
redirected to /aup
right away redirected to eduteams for OIDC login
loop starts again
Instead of redirecting the user, the AUP screen should display the pink "you are suspended" banner and do nothing, or redirect the user to /, which also shows the banner and doesn't allow the user to log in again.
Suspended users who have not agreed to the most recent AUP end up in a (SURFconext) black hole (aka: end up in a login loop). This scenario turns out to be fairly frequent, as particularly the users who are suspended also haven;t logged in in quite a while (ergo, probably agreed with an older AUP, or none at all).
The flow is:
Instead of redirecting the user, the AUP screen should display the pink "you are suspended" banner and do nothing, or redirect the user to /, which also shows the banner and doesn't allow the user to log in again.
To reproduce: