What you described is pretty standard oAuth architecture. refresh_token is there to be able to refresh your access_token after it expires without having to send username and password again.