So I thought I understood how in-app billing and server-side verification works thanks to an answer to a previous question of mine but now that I think of it I'm still lost...
This is what I have and what I want to do:
I have an app where the users can purchase several "items". Each item is stored on a server and and item should be made available for downloaded within the app upon purchase. The items are managed items that can be purchased only once (ie non-consumable). I have no problem defining items in the Google Play Developer console and I can perform a successful purchase.
What I don't understand is how I can get my server to not only validate the purchase (using the purchaseToken and signature) but also know that it is item X and not item Y that is purchased? Is there some Google API where the server can talk to Google and ask what item id a certain purchaseToken belongs to? Is there some other way to do this?
I hate to answer my own question, but hey, nobody else did! Me and my colleagues took another look at the problem again this morning. The solution to my problem finally occurred to me after taking another look at how the client side verification works in the TrivialDrive example. Man, did I feel like putting on my "stupid-hat", when I understood what was wrong.
I thought that it was the purchaseToken and the signature that was used to verify the purchase, but that way there was no means of verifying if it was item A or item B that was purchased.
If you want to do server-side verification (or any kind of verification for that matter) before making content available to the buyer it's actually the original JSON data (if you use the IabHelper classes, you get the original JSON from the Purchase class) that you're supposed to use together with the signature and the public key. And since it's the original JSON data you're passing along to your server it also contains all the information about the purchase (such as SKU id etc).
It's also important to set the developer payload to something that uniquely identifies your user (not the device!). In our case each user has an account on the server and I use the unique user id as developer payload.
/Mr.Stupid signing off!