I'm imagining a system where for each session the client generates a fresh key pair, then sends its public key along in the initial request to the authorization server.
After login/if the request is approved, future requests are signed by the client. No token needs to be passed back. However, you would need something like a simple endpoint on the client server where the authorization server could verify that the request originated there.
Seems like it would be pretty simple. What am I missing?