Reject empty segments in JWT validators

[naruto-lgtm]

Repro: set the external_credentials.identity_token provider field to .., or to any token with an empty segment such as ab..cd; both the plugin-framework and SDK JWT validators accept it as a valid JWT.

Cause: after the 3-part split, each segment is checked with base64.RawURLEncoding.DecodeString, and that returns no error for the empty string, so an empty header/payload/signature passes the check.

Fix: reject any empty segment before the base64 decode in jwtValidator.ValidateString (plugin-framework) and ValidateJWT (SDK). Both back the same external_credentials.identity_token field, so the guard belongs in the validators rather than the call sites.

Release Note Template for Downstream PRs (will be copied)

provider: fixed validation of `external_credentials.identity_token` to reject malformed JWTs containing empty segments

[github-actions]

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@BBBmau, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes for commit 048038f:

Diff report

Your PR generated the following diffs in downstream repositories:

Repository	Diff Link	Changes
google provider	View Diff	4 files changed, 126 insertions(+), 2 deletions(-)
google-beta provider	View Diff	4 files changed, 126 insertions(+), 2 deletions(-)
terraform-google-conversion	View Diff	1 file changed, 7 insertions(+), 1 deletion(-)

Test report

Analytics

Total Tests	Passed	Skipped	Affected
6675	5983	686	6

Affected Service Packages

• All service packages are affected

Learn how VCR tests work

---

Step 1: Replaying Mode

Action taken

Found 6 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit.

Click here to see the affected tests

• TestAccContainerCluster_regionalWithNodePool
• TestAccContainerNodePool_withHostMaintenancePolicy
• TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
• TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
• TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
• TestAccPubsubSubscription_pubsubSubscriptionTagsExample

View the replaying VCR build log

---

Step 2: Recording Mode

Recording Mode	Replaying Rerun	Test Name
❌ Error · Log	-	TestAccContainerCluster_regionalWithNodePool
❌ Error · Log	-	TestAccContainerNodePool_withHostMaintenancePolicy
❌ Error · Log	-	TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
❌ Error · Log	-	TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
❌ Error · Log	-	TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
❌ Error · Log	-	TestAccPubsubSubscription_pubsubSubscriptionTagsExample

Caution

Issues requiring attention before PR completion

🔴 Initial Recording Failed: Some tests failed during the recording step. See the table above for details.

Please address these issues to complete your PR. If you believe these detections are incorrect or unrelated to your change, please raise the concern with your reviewer.

View the recording VCR build log or the debug logs folder for detailed results.

@naruto-lgtm, @BBBmau VCR tests complete for 048038f!