Hello, as I said here : Trying to understand access token use - #3 by regilero you can use this grant type to connect with service accounts. So instead of using a ‘user’ credential you should use the client_id/client secret if this client has the ‘service account’ enabled.
You can use it to get the first token (dop not start with password grant type), and to get a new one every time it’s expired. In this mode Keycloak will never send a refresh token because the refresh token system is made to maintain a connection where you used client credentials at first and has you should never store user credentials you do not have it later. So the refresh_token system is made to refresh acess tokens when using user credentials. But for B-to-B API connection you should not use user credentials, use service accounts, it means you use static credentials (client_id/client secrets) which does not depends on a user.
Now if your API conenction is really based on a password grant type, and you want to get different access levels on the rest API depending on the user, which is a rare case. You could start with password grant type, but after expiration you shoudl ake for new access_tokens using the refresh_token from the first response.