diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
index 4525c6578c..b849fcb46c 100644
--- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
+++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
@@ -409,6 +409,8 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
                 ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
             }
 
+            await ValidateOpenIdConnectProtocolAsync(jwt, null);
+
             var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
             if (securityTokenValidatedNotification.HandledResponse)
             {
@@ -419,9 +421,6 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
                 return null;
             }
 
-            // If id_token is received using code only flow, no need to validate chash.
-            await ValidateOpenIdConnectProtocolAsync(jwt, message, false);
-
             return ticket;
         }
 
@@ -443,6 +442,8 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
             var validationParameters = Options.TokenValidationParameters.Clone();
             ticket = ValidateToken(message.IdToken, message, properties, validationParameters, out jwt);
 
+            await ValidateOpenIdConnectProtocolAsync(jwt, message);
+
             var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
             if (securityTokenValidatedNotification.HandledResponse)
             {
@@ -453,8 +454,6 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
                 return null;
             }
 
-            await ValidateOpenIdConnectProtocolAsync(jwt, message);
-
             if (message.Code != null)
             {
                 var authorizationCodeReceivedNotification = await RunAuthorizationCodeReceivedNotificationAsync(message, properties, ticket, jwt);
@@ -879,7 +878,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
             return ticket;
         }
 
-        private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message, bool ValidateCHash = true)
+        private async Task ValidateOpenIdConnectProtocolAsync(JwtSecurityToken jwt, OpenIdConnectMessage message)
         {
             string nonce = jwt.Payload.Nonce;
             if (Options.CacheNonces)
@@ -902,16 +901,13 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
 
             var protocolValidationContext = new OpenIdConnectProtocolValidationContext
             {
+                ProtocolMessage = message,
+                IdToken = jwt,
+                ClientId = Options.ClientId,
                 Nonce = nonce
             };
 
-            // If authorization code is null, protocol validator does not validate the chash
-            if (ValidateCHash)
-            {
-                protocolValidationContext.AuthorizationCode = message.Code;
-            }
-
-            Options.ProtocolValidator.Validate(jwt, protocolValidationContext);
+            Options.ProtocolValidator.Validate(protocolValidationContext);
         }
 
         /// <summary>
diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs
index 46140011d5..85ff60903d 100644
--- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs
+++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs
@@ -58,7 +58,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
             BackchannelTimeout = TimeSpan.FromMinutes(1);
             Caption = OpenIdConnectAuthenticationDefaults.Caption;
             GetClaimsFromUserInfoEndpoint = false;
-            ProtocolValidator = new OpenIdConnectProtocolValidator();
+            ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireState = false };
             RefreshOnIssuerKeyNotFound = true;
             ResponseMode = OpenIdConnectResponseModes.FormPost;
             ResponseType = OpenIdConnectResponseTypes.CodeIdToken;
diff --git a/test/Microsoft.AspNet.Authentication.Test/OpenIdConnect/OpenIdConnectHandlerTests.cs b/test/Microsoft.AspNet.Authentication.Test/OpenIdConnect/OpenIdConnectHandlerTests.cs
index e96cb323f5..5dc58c6737 100644
--- a/test/Microsoft.AspNet.Authentication.Test/OpenIdConnect/OpenIdConnectHandlerTests.cs
+++ b/test/Microsoft.AspNet.Authentication.Test/OpenIdConnect/OpenIdConnectHandlerTests.cs
@@ -384,6 +384,7 @@ namespace Microsoft.AspNet.Authentication.Tests.OpenIdConnect
         {
             DefaultOptions(options);
             options.ResponseType = OpenIdConnectResponseTypes.Code;
+            options.ProtocolValidator.RequireNonce = false;
             options.StateDataFormat = new AuthenticationPropertiesFormaterKeyValue();
             options.GetClaimsFromUserInfoEndpoint = true;
             options.SecurityTokenValidators = new Collection<ISecurityTokenValidator> { MockSecurityTokenValidator() };