Google Shortener with oauth 2.0 2-legged

Question

I am blocked in the creation of my mobile App.
I want to be able to use google shortener and his analytics feature in my app, the problem is that I want use the 2-legged Oauth2.0 and I haven't understand if is it possible to reach this goal with this google service.
I tried to implement a 3-legged Oauth 2.0, and all work. But is not what I want. I searched a lot on the web but I haven't found a nice solution. Some one can help me?

Answer 1

If you want to use 2-legged OAuth 2.0 (that is, your application acting on behalf of itself, and not accessing a specific user's data) then usage of a service account is usually the right way to do this.

However since you're building a mobile app, that means you'd need to embed the service account key in your app, which is generally a bad idea (since it can be extracted).

I'm not familiar the URL shortener API per se, however their docs seem to indicate it will work using a simple API key: https://developers.google.com/url-shortener/v1/getting_started#APIKey

I would suggest testing if that will work for your use-case, and if so it will be more practical to use than a service account.

Background: For environments that can be trusted, a service account is a better option to use as the key is never transmitted, but here where your app is being distributed anyway (and therefore needs a secret embedded inside of it) then either a private key, or a simple API key will provide equivalent level of security.