I created a custom app with AppBuilder Dev edition for a client want to access the app with credentials. Maps and layers have to be secured so they are shared only to a group with the potential users or include not shared to anyone. The user can sign into its AGOL account to find the app and open it. This step is not necessary if the user knows the app's url and opens directly the app. AGOL only redirects the user to the app's url, so If the user try to access the app through AGOL, it has to sign in twice, one to enter into its AGOL account and then to access give access the app to the secured layers, and that's annoying for the user. I would like to know if there is a way that AGOL provides the credentials or the token to the application to access the data and open the app in case it is open from an AGOL account. That means if you click on the app when you are already in an user account granted you won't need to type again the credentials, but if you access the app directly or from an AGOL account not granted, you will asked to enter the credentials.
This is important because many of the users don't know their AGOL passwords because they sign in AGOL with a PIV card. So, although they signed in AGOL they can't open the app because they can't introduce their credentials the second time. To solve it I need AGOL sends the credentials to the app or a method to facilitate the app to get the credentials from the PIV card if it is used.
On the other hand, I mentioned that some of the layers the app uses don't have to be shared. I need to grant access the app to those layers. I know that one way is get access via proxy, however, for some reason I cannot install the proxy in the server. What other way is there to grant access to an app instead to a user?