It's a good question. I was listening to an Esri presentation about marketplace and oauth2 yesterday and they kept talking about one step vs two Step authorization. See two step here https://developers.arcgis.com/en/authentication/user-ios-etc.html
One step authorization being for javascript, flex apps that will expire shortly, and you don't get a refresh token. Two step being for mobile apps (or I think desktop or server apps also) where you get the refresh token and don't want to have frequent logins. When the access token expires, you can keep getting new ones with the refresh token theoretically forever and wouldn't have to login after the first time. Of course, this is a security risk if you are saving this, say as a cookie for a javascript app.
Long way around to your question, but if you don't find any more information about the interesting phrase "resources...that have been shared with the application", I wonder if it really is more about users, and not apps, having access to resources?
A mobile, server (think php server side) or desktop application can use the two step authorization with a user account, get the refresh token, save it securely and keep refreshing the access token as needed. Under this scenario, other non AGOL users would not have to login to AGOL through your app, but can access AGOL resources through your app with the one named user account that is perpetually logged in.
As an aside, I'm not sure they would let an app of this sort into their marketplace because it doesn't involve individual user having to login to AGOL. Everything I'm hearing revolves around this phrase "named user account". Esri wants to sell subscriptions to AGOL and they want people to have an account and login with it -- which makes some have conniptions, but it's just their business model.
I have done something very similar by embedding a web app (where you can set editing options and include widgets) within a story journal. To stop users from deleting the comments of others, you can set the editing properties for the feature layer by selecting 'Edit' from its item details page.
Then set the editing properties to 'Add features only'.
You will need to make the application publicly accessible so that people outside of your organisation are able to view it, but could limit access by embedding the URL in a password protected web page or similar.
Best Answer
If you have services that require authentication but you don't want your users to sign in, the best approach is to have your application handle the authentication for you. You do this by either setting up a proxy on your own server, or use a proxy service hosted by AGOL.
The first step is to create the actual application and register it with AGOL or your own portal. This can be done directly in AGOL or via the Developers site. If you are uncertain how, you can also try it by adding an item directly in AGOL by following the section for "Add Apps" in http://doc.arcgis.com/en/arcgis-online/share-maps/add-items.htm. This does the same thing as what is described in https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/accessing-arcgis-online-services/.
Once the application is registered, you will need to take note of the client id and secret. This can be seen analogous to a username/password. These credentials would need to be stored in a proxy file that you have accessible (and also locked down) on your own server. More information on these proxies can be found at https://github.com/Esri/resource-proxy.
If you do not wish to host your own proxy file, you can use the hosted proxies. For example, let's say you are working with the route task which requires credentials. You can use use a hosted proxy service for the route task and reference that URL. More information on the proxy services an be found at https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/working-with-proxies/.