From 4273728b6f70b490d2322000fee5d07074f53838 Mon Sep 17 00:00:00 2001
From: Peter McDonald <148006+petermcd@users.noreply.github.com>
Date: Tue, 26 Sep 2023 17:20:42 +0100
Subject: [PATCH 1/2] Corrected instructions for generating code challenge and
 code verifier

---
 docs/getting_started.rst | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/getting_started.rst b/docs/getting_started.rst
index 9b79f9a32..388afa300 100644
--- a/docs/getting_started.rst
+++ b/docs/getting_started.rst
@@ -268,9 +268,8 @@ Now let's generate an authentication code grant with PKCE (Proof Key for Code Ex
     import hashlib
 
     code_verifier = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(random.randint(43, 128)))
-    code_verifier = base64.urlsafe_b64encode(code_verifier.encode('utf-8'))
 
-    code_challenge = hashlib.sha256(code_verifier).digest()
+    code_challenge = hashlib.sha256(code_verifier.encode('utf-8')).digest()
     code_challenge = base64.urlsafe_b64encode(code_challenge).decode('utf-8').replace('=', '')
 
 Take note of ``code_challenge`` since we will include it in the code flow URL. It should look something like ``XRi41b-5yHtTojvCpXFpsLUnmGFz6xR15c3vpPANAvM``.

From 3cf78cd59ae2845122d8ebcca38d8ad54d5728da Mon Sep 17 00:00:00 2001
From: Peter McDonald <148006+petermcd@users.noreply.github.com>
Date: Tue, 26 Sep 2023 17:29:01 +0100
Subject: [PATCH 2/2] Updated AUTHORS and CHANGELOG.md

---
 AUTHORS      | 1 +
 CHANGELOG.md | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/AUTHORS b/AUTHORS
index aaedf1084..9fb42239e 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -80,6 +80,7 @@ Paul Oswald
 Pavel Tvrdík
 Peter Carnesciali
 Peter Karman
+Peter McDonald
 Petr Dlouhý
 Rodney Richardson
 Rustem Saiargaliev
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 323f0346a..a61a3ebdb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,7 +26,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 
 - ### Fixed
-* #1284 Allow to logout whith no id_token_hint even if the browser session already expired
+* #1322 Instructions in documentation on how to create a code challenge and code verifier
+* #1284 Allow to logout with no id_token_hint even if the browser session already expired
 * #1296 Added reverse function in migration 0006_alter_application_client_secret
 
 ## [2.3.0] 2023-05-31