diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/HomeController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/HomeController.cs
index dd99411a..15ccdb36 100644
--- a/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/HomeController.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNet.Client/Controllers/HomeController.cs
@@ -1,14 +1,10 @@
-using System;
-using System.Linq;
-using System.Net.Http;
+using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web;
 using System.Web.Mvc;
-using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Cookies;
-using OpenIddict.Client;
 using static OpenIddict.Client.Owin.OpenIddictClientOwinConstants;
 
 namespace OpenIddict.Sandbox.AspNet.Client.Controllers
@@ -16,20 +12,14 @@ namespace OpenIddict.Sandbox.AspNet.Client.Controllers
     public class HomeController : Controller
     {
         private readonly IHttpClientFactory _httpClientFactory;
-        private readonly OpenIddictClientService _service;
 
-        public HomeController(
-            IHttpClientFactory httpClientFactory,
-            OpenIddictClientService service)
-        {
-            _httpClientFactory = httpClientFactory;
-            _service = service;
-        }
+        public HomeController(IHttpClientFactory httpClientFactory)
+            => _httpClientFactory = httpClientFactory;
 
         [HttpGet, Route("~/")]
         public ActionResult Index() => View();
 
-        [Authorize, HttpPost, Route("~/message")]
+        [Authorize, HttpPost, Route("~/")]
         [ValidateAntiForgeryToken]
         public async Task<ActionResult> Index(CancellationToken cancellationToken)
         {
@@ -48,39 +38,5 @@ namespace OpenIddict.Sandbox.AspNet.Client.Controllers
 
             return View(model: await response.Content.ReadAsStringAsync());
         }
-
-        [Authorize, HttpPost, Route("~/refresh-token")]
-        [ValidateAntiForgeryToken]
-        public async Task<ActionResult> RefreshToken(CancellationToken cancellationToken)
-        {
-            var context = HttpContext.GetOwinContext();
-
-            var result = await context.Authentication.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationType);
-            if (!result.Properties.Dictionary.TryGetValue(Tokens.RefreshToken, out string token))
-            {
-                return new HttpStatusCodeResult(400);
-            }
-
-            var (response, principal) = await _service.AuthenticateWithRefreshTokenAsync(
-                issuer: new Uri(result.Identity.Claims.Select(claim => claim.Issuer).First(), UriKind.Absolute),
-                token: token,
-                cancellationToken: cancellationToken);
-
-            var properties = new AuthenticationProperties(result.Properties.Dictionary)
-            {
-                RedirectUri = null
-            };
-
-            properties.Dictionary[Tokens.BackchannelAccessToken] = response.AccessToken;
-
-            if (!string.IsNullOrEmpty(response.RefreshToken))
-            {
-                properties.Dictionary[Tokens.RefreshToken] = response.RefreshToken;
-            }
-
-            context.Authentication.SignIn(properties, result.Identity);
-
-            return View("Index", model: response.AccessToken);
-        }
     }
 }
diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs b/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs
index 4ad35853..f78bc613 100644
--- a/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs
@@ -82,10 +82,8 @@ namespace OpenIddict.Sandbox.AspNet.Client
                     options.SetPostLogoutRedirectionEndpointUris(
                         "/callback/logout/local");
 
-                    // Note: this sample uses the authorization code and refresh token
-                    // flows, but you can enable the other flows if necessary.
-                    options.AllowAuthorizationCodeFlow()
-                           .AllowRefreshTokenFlow();
+                    // Note: this sample uses the code flow, but you can enable the other flows if necessary.
+                    options.AllowAuthorizationCodeFlow();
 
                     // Register the signing and encryption credentials used to protect
                     // sensitive data like the state tokens produced by OpenIddict.
@@ -130,7 +128,6 @@ namespace OpenIddict.Sandbox.AspNet.Client
                                options.SetClientId("1016114395689-kgtgq2p6dj27d7v6e2kjkoj54dgrrckh.apps.googleusercontent.com")
                                       .SetClientSecret("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")
                                       .SetRedirectUri("https://localhost:44378/callback/login/google")
-                                      .SetAccessType("offline")
                                       .AddScopes(Scopes.Profile);
                            })
                            .UseTwitter(options =>
diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Client/Views/Home/Index.cshtml b/sandbox/OpenIddict.Sandbox.AspNet.Client/Views/Home/Index.cshtml
index b4f102d0..2115a85a 100644
--- a/sandbox/OpenIddict.Sandbox.AspNet.Client/Views/Home/Index.cshtml
+++ b/sandbox/OpenIddict.Sandbox.AspNet.Client/Views/Home/Index.cshtml
@@ -1,8 +1,4 @@
 @using System.Security.Claims
-@using Microsoft.Owin
-@using Microsoft.Owin.Security
-@using Microsoft.Owin.Security.Cookies
-@using OpenIddict.Client.Owin
 @model string
 
 <div class="jumbotron">
@@ -19,30 +15,19 @@
 
         if (!string.IsNullOrEmpty(Model))
         {
-            <h3>Payload returned by the controller: @Model</h3>
+            <h3>Message received from the resource controller: @Model</h3>
         }
 
         if (User is ClaimsPrincipal principal &&
             principal.FindFirst(ClaimTypes.NameIdentifier)?.Issuer is "https://localhost:44349/")
         {
-            <form action="/message" method="post">
+            <form action="/" method="post">
                 @Html.AntiForgeryToken()
 
                 <button class="btn btn-lg btn-warning" type="submit">Query the resource controller</button>
             </form>
         }
 
-        if (Context.GetOwinContext() is IOwinContext context &&
-            context.Authentication.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationType).Result is AuthenticateResult result &&
-            result.Properties.Dictionary.ContainsKey(OpenIddictClientOwinConstants.Tokens.RefreshToken))
-        {
-            <form action="/refresh-token" method="post">
-                @Html.AntiForgeryToken()
-
-                <button class="btn btn-lg btn-warning" type="submit">Refresh the access token</button>
-            </form>
-        }
-
         <form action="/logout" method="post">
             @Html.AntiForgeryToken()
 
diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/HomeController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/HomeController.cs
index a402bb99..aea5f97c 100644
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/HomeController.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Controllers/HomeController.cs
@@ -3,31 +3,25 @@ using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using OpenIddict.Client;
-using static OpenIddict.Client.AspNetCore.OpenIddictClientAspNetCoreConstants;
+using OpenIddict.Client.AspNetCore;
 
 namespace OpenIddict.Sandbox.AspNetCore.Client.Controllers;
 
 public class HomeController : Controller
 {
     private readonly IHttpClientFactory _httpClientFactory;
-    private readonly OpenIddictClientService _service;
 
-    public HomeController(
-        IHttpClientFactory httpClientFactory,
-        OpenIddictClientService service)
-    {
-        _httpClientFactory = httpClientFactory;
-        _service = service;
-    }
+    public HomeController(IHttpClientFactory httpClientFactory)
+        => _httpClientFactory = httpClientFactory;
 
     [HttpGet("~/")]
     public ActionResult Index() => View();
 
-    [Authorize, HttpPost("~/message"), ValidateAntiForgeryToken]
-    public async Task<ActionResult> GetMessage(CancellationToken cancellationToken)
+    [Authorize, HttpPost("~/"), ValidateAntiForgeryToken]
+    public async Task<ActionResult> Index(CancellationToken cancellationToken)
     {
-        var token = await HttpContext.GetTokenAsync(CookieAuthenticationDefaults.AuthenticationScheme, Tokens.BackchannelAccessToken);
+        var token = await HttpContext.GetTokenAsync(CookieAuthenticationDefaults.AuthenticationScheme,
+            OpenIddictClientAspNetCoreConstants.Tokens.BackchannelAccessToken);
 
         using var client = _httpClientFactory.CreateClient();
 
@@ -37,38 +31,6 @@ public class HomeController : Controller
         using var response = await client.SendAsync(request, cancellationToken);
         response.EnsureSuccessStatusCode();
 
-        return View("Index", model: await response.Content.ReadAsStringAsync(cancellationToken));
-    }
-
-    [Authorize, HttpPost("~/refresh-token"), ValidateAntiForgeryToken]
-    public async Task<ActionResult> RefreshToken(CancellationToken cancellationToken)
-    {
-        var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
-        var token = result?.Properties.GetTokenValue(Tokens.RefreshToken);
-        if (string.IsNullOrEmpty(token))
-        {
-            return BadRequest();
-        }
-
-        var (response, principal) = await _service.AuthenticateWithRefreshTokenAsync(
-            issuer: new Uri(result.Principal.Claims.Select(claim => claim.Issuer).First(), UriKind.Absolute),
-            token: token,
-            cancellationToken: cancellationToken);
-
-        var properties = new AuthenticationProperties(result.Properties.Items)
-        {
-            RedirectUri = null
-        };
-
-        properties.UpdateTokenValue(Tokens.BackchannelAccessToken, response.AccessToken);
-
-        if (!string.IsNullOrEmpty(response.RefreshToken))
-        {
-            properties.UpdateTokenValue(Tokens.RefreshToken, response.RefreshToken);
-        }
-
-        await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, result.Principal, properties);
-
-        return View("Index", model: response.AccessToken);
+        return View(model: await response.Content.ReadAsStringAsync(cancellationToken));
     }
 }
diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs
index 5a1c3703..d9bcc474 100644
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs
@@ -91,10 +91,8 @@ public class Startup
                 options.SetPostLogoutRedirectionEndpointUris(
                     "/callback/logout/local");
 
-                // Note: this sample uses the authorization code and refresh token
-                // flows, but you can enable the other flows if necessary.
-                options.AllowAuthorizationCodeFlow()
-                       .AllowRefreshTokenFlow();
+                // Note: this sample uses the code flow, but you can enable the other flows if necessary.
+                options.AllowAuthorizationCodeFlow();
 
                 // Register the signing and encryption credentials used to protect
                 // sensitive data like the state tokens produced by OpenIddict.
@@ -140,7 +138,6 @@ public class Startup
                            options.SetClientId("1016114395689-kgtgq2p6dj27d7v6e2kjkoj54dgrrckh.apps.googleusercontent.com")
                                   .SetClientSecret("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")
                                   .SetRedirectUri("https://localhost:44381/callback/login/google")
-                                  .SetAccessType("offline")
                                   .AddScopes(Scopes.Profile);
                        })
                        .UseReddit(options =>
diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Views/Home/Index.cshtml b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Views/Home/Index.cshtml
index f9e9fd73..4c97a1d7 100644
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Views/Home/Index.cshtml
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Views/Home/Index.cshtml
@@ -1,6 +1,4 @@
 @using System.Security.Claims
-@using Microsoft.AspNetCore.Authentication;
-@using OpenIddict.Client.AspNetCore;
 @model string
 
 <div class="jumbotron">
@@ -17,23 +15,16 @@
 
         if (!string.IsNullOrEmpty(Model))
         {
-            <h3>Payload returned by the controller: @Model</h3>
+            <h3>Message received from the resource controller: @Model</h3>
         }
 
         if (User.FindFirst(ClaimTypes.NameIdentifier)?.Issuer is "https://localhost:44395/")
         {
-            <form asp-action="GetMessage" asp-controller="Home" method="post">
+            <form asp-action="Index" asp-controller="Home" method="post">
                 <button class="btn btn-lg btn-warning" type="submit">Query the resource controller</button>
             </form>
         }
 
-        if (!string.IsNullOrEmpty(await Context.GetTokenAsync(OpenIddictClientAspNetCoreConstants.Tokens.RefreshToken)))
-        {
-            <form asp-action="RefreshToken" asp-controller="Home" method="post">
-                <button class="btn btn-lg btn-warning" type="submit">Refresh the access token</button>
-            </form>
-        }
-
         <form asp-action="Logout" asp-controller="Authentication" method="post">
             <button class="btn btn-lg btn-danger" type="submit">Sign out</button>
         </form>
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index fc5a9c90..96879f94 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -32,8 +32,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
          */
         OverrideResponseMode.Descriptor,
         FormatNonStandardScopeParameter.Descriptor,
-        IncludeStateParameterInRedirectUri.Descriptor,
-        AttachAdditionalChallengeParameters.Descriptor)
+        IncludeStateParameterInRedirectUri.Descriptor)
         .AddRange(Discovery.DefaultHandlers)
         .AddRange(Exchange.DefaultHandlers)
         .AddRange(Protection.DefaultHandlers)
@@ -510,42 +509,4 @@ public static partial class OpenIddictClientWebIntegrationHandlers
             return default;
         }
     }
-
-    /// <summary>
-    /// Contains the logic responsible for attaching additional parameters
-    /// to the authorization request for the providers that require it.
-    /// </summary>
-    public sealed class AttachAdditionalChallengeParameters : IOpenIddictClientHandler<ProcessChallengeContext>
-    {
-        /// <summary>
-        /// Gets the default descriptor definition assigned to this handler.
-        /// </summary>
-        public static OpenIddictClientHandlerDescriptor Descriptor { get; }
-            = OpenIddictClientHandlerDescriptor.CreateBuilder<ProcessChallengeContext>()
-                .AddFilter<RequireInteractiveGrantType>()
-                .UseSingletonHandler<AttachAdditionalChallengeParameters>()
-                .SetOrder(AttachChallengeParameters.Descriptor.Order + 500)
-                .SetType(OpenIddictClientHandlerType.BuiltIn)
-                .Build();
-
-        /// <inheritdoc/>
-        public ValueTask HandleAsync(ProcessChallengeContext context)
-        {
-            if (context is null)
-            {
-                throw new ArgumentNullException(nameof(context));
-            }
-
-            // By default, Google doesn't return a refresh token but allows sending an "access_type"
-            // parameter to retrieve one (but it is only returned during the first authorization dance).
-            if (context.Registration.ProviderName is Providers.Google)
-            {
-                var options = context.Registration.GetGoogleOptions();
-
-                context.Request["access_type"] = options.AccessType;
-            }
-
-            return default;
-        }
-    }
 }
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index 3a6e979c..1eec13c8 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -39,9 +39,6 @@
 
   <Provider Name="Google" Documentation="https://developers.google.com/identity/protocols/oauth2/openid-connect">
     <Environment Issuer="https://accounts.google.com/" />
-
-    <Setting PropertyName="AccessType" ParameterName="type" Type="String" Required="false"
-             Description="The value used as the 'access_type' parameter (can be set to 'offline' to retrieve a refresh token)" />
   </Provider>
 
   <Provider Name="Keycloak" Documentation="https://www.keycloak.org/getting-started/getting-started-docker">