This looks pretty standard. A refresh token and a client secret are very similar when we boil them down in a client credentials grant.
This is a secure server, correct? If an attacker has access to your server you probably have a bigger problem than just the tokens, your client secret is more powerful.