I am developing a web application to authenticate users outside of Portal. Once authenticated in the web app, the user should have access to Portal-based web maps within the custom web application. The only role Portal will play is hosting the web maps. Is it possible to set up a token such that the application itself is permitted access to the given resources within Portal, without requiring a separate Portal login?
Portal for ArcGIS resources can be published to "everyone" (behind the firewall), or private (subset of personnel behind the firewall). If it is published to everyone, no authentication is required so long as they are part of the network. If the content is published as private, it requires a Named User login. To create an app that circumvents the Named User login to a "private" map, would be against the license agreement. It sounds like you just need ensure the web maps are correctly published to everyone (or those using the app will need to login).
I now have this working. ESRI's application authentication pattern provides this functionality (ArcGIS Security and Authentication.) The web app authenticates using a proxy (Esri/resource-proxy). This allows the registered web application to login to Portal using a single application user and password without requiring each user to have an account on the ESRI Portal. This can be done without the proxy, but the proxy simplifies the security and token exchange.