OpenIdRelyingParty no longer filters out OpenID 1.1 endpoints when in stateless mode if the RP has already opted out of replay protection for downlevel OPs.

1 files changed, 5 insertions, 5 deletions

diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs
index dc8e50f..a416f3a 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs
@@ -128,11 +128,11 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			// Without a nonce store, we must rely on the Provider to protect against
 			// replay attacks.  But only 2.0+ Providers can be expected to provide 
 			// replay protection.
-			if (nonceStore == null) {
-				if (this.SecuritySettings.MinimumRequiredOpenIdVersion < ProtocolVersion.V20) {
-					Logger.OpenId.Warn("Raising minimum OpenID version requirement for Providers to 2.0 to protect this stateless RP from replay attacks.");
-					this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;
-				}
+			if (nonceStore == null &&
+				this.SecuritySettings.ProtectDownlevelReplayAttacks &&
+				this.SecuritySettings.MinimumRequiredOpenIdVersion < ProtocolVersion.V20) {
+				Logger.OpenId.Warn("Raising minimum OpenID version requirement for Providers to 2.0 to protect this stateless RP from replay attacks.");
+				this.SecuritySettings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;
 			}
 
 			this.channel = new OpenIdChannel(associationStore, nonceStore, this.SecuritySettings);