This article was written in 2019. It might or it might not be outdated. And it could be that the layout breaks. If that’s the case please let me know.

Son, what is this?

My father sent me a support email: all of a sudden he couldn’t log into his account for the newspaper he reads. The error message he read was not Greek to him, because he speaks Greek fluently. It was in some other language. It resembled Dutch, which he speaks fluently as well, he knew the words, he just didn’t understand what they mean. Here’s a translation:

Oops, something went wrong
If your browser uses plugins that block functionalities then you must add an exception rule for the domain This is our identity provider which is necessary for a working login.

From a service design perspective, and from an inclusive design point of view, this is not the best way to design this message, of course. How can you expect a non-computer-expert to understand what this means? From a simple security perspective you could wonder why you should allow an unknown domain to access your private data. I have taught my father about phishing emails: Do not click on links that look fishy. Indeed, this looks fishy. There are many ways in which this message is unnecessary and it helps no end user. But I don’t believe this is a design problem per se. I’d like to put it in context of the technology of the web, because I believe that’s where the problem comes from.

The web is for everyone by design. Paradoxically this means that it is inclusive by design, but at the same time it excludes people. Theoretically when you are a true expert in the fields of web technologies, screen UX, inclusive design, and when you have a deep understanding of different people and their different contexts, you should be able to create something that works for everybody. I don’t believe these experts exist, at least not in one person.

But the fact that the web is for everyone also means that everyone is allowed to publish on it, not only true uomini universali. Also non-experts are allowed to publish stuff. Which is of course a fantastic thing. But it also means that non-experts are allowed to implement things like an identity provider script.

I think this error message is not designed, I think it is an architectural flaw, based on a lack of understanding of the complexity of the browser and a lack of understanding of the complexity of the users of the web. The question the technical staff at this newspaper forgot to ask is: Is it really a good idea to depend on a third party script to serve critical functionality to our users? It would be defendable to depend on a third party service in your server architecture, but not in the client, in the browser, probably the weirdest and most chaotic technical environment ever. As a business owner I would get pretty annoyed with my technical team for breaking the site in such a silly and unnecessary way.

The big problem I have with these kinds of technical choices is that they work counter to the principle that the web should be there for everyone. They put technical ease above ease of use and security. These kinds of technical implementations make the web less inclusive. They exclude people who don’t understand what the error message above means. They exclude people who use basic security hygiene, like virus scanners and ad blockers.

So please, technical teams: do not create core functionality that depends on third party scripts in the browser. If you really must, use the server for this. This saves me the time of having to try to explain a cryptical error message to my father. It saves me the time of getting into a silly twitter quarrel with good friends. It saves me the time of having to write this blog post. And it allowes my father to simply read the news instead of worrying if maybe he did something wrong.

Update: the newspaper contacted me and informed me that in the not too distant future this will be solved. There’s a new version of our OIDC platform that keeps working with such plugins and even works without javascript. That’s good news. For now I solved this issue for my father by disabling his ad blocker, which is of course an unwanted situation.