Yup. Rotating refresh tokens is also being recommended by the latest OAuth RFC as a MUST have for browser based apps: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-05#section-8