factory should not check condor_tarball version prior to attempting SciTokens authentication to CE
The token hackathon of Feb 05 2021 revealed a bug in scitoken authentication chain assumptions, which borrowed from the previously implemented IDTokens auth chain.
With IDTokens, the intent is to authenticate from running glideins back to the vofrontend collector. The frontend generates unique IDTokens for each glidein site so that glideins from site can be disabled by invalidating a particular token. The frontend checks that glideins for a particular site can use IDTokens by checking the condor tarball version prior to generating one and passing it on.
With SciTokens, the intent is to authenticate to the CE from the factory on behalf of the frontend, which has passed its authorizing Scitoken to the factory. Multiple Scitokens for each CE are not needed. What is needed is the CE to be configured to accept the frontends Scitoken.
The SciToken, or SciTokens that the frontend presents should be specified in the frontend.xml. The file name need not match any particular glidein site, but it is forwarded to the factory to be used to authenticate with the CEs. If SciTokens authentication fails at this point the factory should fall back to using GSI authentication.
Related issue: #25200 Consider tokens for glidein submission the same way as grid_proxy, ssh keys