For B-to-B you can also use the ‘service accounts’ mode, avoiding the client credential grants.
On the client (confidential) you activate "Service account Enabled’, and then limit this service account scopes using both the new ‘service account roles’ tab and the "scope’ tab (access rights are defined by the combination of theses).
Log in with a post on realms/<your realm>protocol/openid-connect/token, grant_type=client_credentials, and for the credentials use the client client_id and client_secret (so no ‘real’ user and password is required). Keycloak will respond with an access token (with a short or medium lifetime, I agree). No refresh token in the response, only this access token. Just check that the access token is still valid, and when it’s not valid anymore re-ask for a new one.