Default expected stamp to empty string when null

[moros]

I discovered a flaw within the ValidateAsync method around expected stamp. The GenerateAsync method if it reads NULL out of GetSecurityStampAsync will write an empty string into the memory stream. I assume that is the case because one can not write NULL into a memory stream but if the security stamp column in the database is NULL, validating a token will fail.

The simplest fix seems to be to default the expected stamp to an empty string when none is found.