To do the whole OAuth 2 protocol, yes, all parts need to support it: client, authorization server, and protected resource. But one of the good things about OAuth 2, in my opinion, is the modularity of the system. You can use the "get a token" parts and then present the token in a different manner, like in
https://tools.ietf.org/html/rfc7628 over GSSAPI. Or you can use some internal mechanism to get a token and then use the "use a token" portion apart from that. It's all up to your application how you want to put it together. But the thing is, in these other cases, I'd argue that you're no longer truly doing OAuth, you're doing "OAuth + something else". Which is fine and legal, of course, but the question is what do you call that.
The real danger in the world is coming up with something that's "OAuth-like", as a proprietary solution is not likely to be as tested and vetted as the standard.