[keycloak-user] preferred identity mechanism for rest clients

Hi, We are using mod_auth_openidc set up as a keycloak client so we can use openid-connect for browsers and oauth20 for REST clients. We have setup some REST clients as users and use a grant_type=password to get a bearer token but I’ve also tested using a keycloak client with a service account to achieve a similar effect. There is a benefit to us in using a user account because we have hooked the account creation into our internal authorization mechanism but would it be preferable to use service accounts instead? Thanks in advance, G