DOKS clusters can now authenticate users through an external OpenID Connect provider. Each cluster has its own independent configuration managed via doctl, so dev, staging, and production environments can each enforce distinct access policies. Token issuance and revocation are handled directly from the IdP, so deactivating a user there removes their cluster access without manual credential rotation.