It's a good question. I was listening to an Esri presentation about marketplace and oauth2 yesterday and they kept talking about one step vs two Step authorization. See two step here https://developers.arcgis.com/en/authentication/user-ios-etc.html
One step authorization being for javascript, flex apps that will expire shortly, and you don't get a refresh token. Two step being for mobile apps (or I think desktop or server apps also) where you get the refresh token and don't want to have frequent logins. When the access token expires, you can keep getting new ones with the refresh token theoretically forever and wouldn't have to login after the first time. Of course, this is a security risk if you are saving this, say as a cookie for a javascript app.
Long way around to your question, but if you don't find any more information about the interesting phrase "resources...that have been shared with the application", I wonder if it really is more about users, and not apps, having access to resources?
A mobile, server (think php server side) or desktop application can use the two step authorization with a user account, get the refresh token, save it securely and keep refreshing the access token as needed. Under this scenario, other non AGOL users would not have to login to AGOL through your app, but can access AGOL resources through your app with the one named user account that is perpetually logged in.
As an aside, I'm not sure they would let an app of this sort into their marketplace because it doesn't involve individual user having to login to AGOL. Everything I'm hearing revolves around this phrase "named user account". Esri wants to sell subscriptions to AGOL and they want people to have an account and login with it -- which makes some have conniptions, but it's just their business model.
Best Answer
At the time of writing, out of the box, there is not a way to allow users from more than one active directory to access your ArcGIS Server.
ArcGIS Server can hook into a single active directory. I am not a security boff, but you could investigate (stack overflow question?) the possibilities combining domains from different active directories with other products or at the domain controller end. I have heard of this being done, but cannot provide you with anything concrete.
ArcGIS.com allows you to setup Enterprise Logins, which makes use of SAML Web Single Sign On. SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case, ArcGIS Online). Now, I would like to be corrected on this, but as far as I can see, whilst it is possible to consume multiple identity stores with the SAML model, ArcGIS.com only appears to allow you to point to one authentication server. Therefore, only one active directory. This might be by design, as what happens when it finds 'Adam Smith' in multiple stores?
As for Portal, this also relies on there being a singular identity store (i.e. One Active Directory).