In my understanding, it is used when you have some internal service. Let's say you have ServiceA and ServiceB. A user calls ServiceA which in hand calls ServiceB. ServiceB is never called by the user directly, only by other services. ServiceA will get a token using the user's credentials. And then will use this token to call ServiceB. ServiceB will never initiate a login. It will just use the token to verify permissions.

In this case, ServiceA will be confidential and ServiceB will be bearer-only clients.

Bearer-only access type meaning

Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins.

So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why keycloak documentation also mentioned bearer-only application will not allow the login from browser.

And if you can't obtain a token, what can you at all? Why do these clients exist?

Your client can't be set as bearer-only on Keycloak Server. You can still use bearer-only on the adapter configuration though. Keycloak doesn't allow "bearer only" clients (when setting up your client on the server) to obtain tokens from the server. Try to change your client to "confidential" on the server and set bearer-only on your adapter configuration (keycloak.json).

So if you understand above statement then if you have two microservice which are talking to each other in the case, caller will be confidential and callee will be bearer-only

And Keycloak also mentioned

Bearer only client are web service that never initiate a login .It’s typically used for securing the back-end.

So if you want to use any adapter you can use bearer-only depend on the need

Short answer: you can't obtain an access token using a bearer-only client, but you can obtain an access token a bearer-only client can accept using another client.

More details bearer-only clients usefully represents back-end applications, like web service, called by front application and secured by the authorization server (= keycloak)

Backend / Web service application are not called directly by user, so they can't play in the Oauth2.0 user interactive flow. Setting "bearer-only" document this fact to keycloak server, allowing administrator to configure client without otherwise mandatory values (example redirect uri…) and allowing usefull error messages if someone trying to obtain a token for such a client

However, this doesn't mean you cannot configure specific roles for this client: so it need to appear in keycloak realm.

In addition bearer-only client need to verify the received access token, especially, if this (recommenden) adapter feature "verify-token-audience" is activated, bearer-only client need to verify that the access token has been issued for it: the bearer-only client must be in the audience attribute of the access token: see https://www.keycloak.org/docs/latest/server_admin/index.html#_audience

for audience managing by keycloak, bearer-only clients needs to be registered in keycloak realm.