Cause if you have just regular refresh tokens, from a secruity point of view, it's almost as good as having no refresh token at all.. (this is only true for frontend clients)