diff --git a/packages/oauth/oauth-provider/src/router/create-authorization-page-middleware.ts b/packages/oauth/oauth-provider/src/router/create-authorization-page-middleware.ts
--- a/packages/oauth/oauth-provider/src/router/create-authorization-page-middleware.ts
+++ b/packages/oauth/oauth-provider/src/router/create-authorization-page-middleware.ts
@@ -74,7 +74,7 @@
       // @TODO Consider removing this altogether to allow hosting PDS and app on
       // the same site but different origins (different subdomains).
-      validateFetchSite(req, ['same-origin', 'cross-site', 'none'])
+      validateFetchSite(req, ['same-origin', 'same-site', 'cross-site', 'none'])
       validateFetchMode(req, ['navigate'])
       validateFetchDest(req, ['document'])
       validateOrigin(req, issuerOrigin)