Set webOrigin on validate.

lib/middleware/authorization.js

@@ -120,13 +120,14 @@ module.exports = function(server, options, validate, immediate, complete) {
       if (!areq || !areq.type) { return next(new AuthorizationError('Missing required parameter: response_type', 'invalid_request')); }
       if (areq.type && !areq.clientID) { return next(new AuthorizationError('Unsupported response type: ' + type, 'unsupported_response_type')); }
 
-      function validated(err, client, redirectURI) {
+      function validated(err, client, redirectURI, webOrigin) {
         // Set properties *before* next()'ing due to error.  The presence of a
         // redirectURI being provided, even under error conditions, indicates
         // that the client should be informed of the error via a redirect.
         req.oauth2 = {};
         if (client) { req.oauth2.client = client; }
         if (redirectURI) { req.oauth2.redirectURI = redirectURI; }
+        if (webOrigin) { req.oauth2.webOrigin = webOrigin; }
         req.oauth2.req = areq;
         req.oauth2.user = req[userProperty];
         if (req.locals) { req.oauth2.locals = req.locals; }