Comment # 2 on bug 1173427 from Michael Andres

Well, that's the usual HTTP authentication workflow. 

The server responds to a client with a 401 (Unauthorized) response status and
provides information on how to authorize with a WWW-Authenticate response
header containing at least one challenge. A client that wants to authenticate
itself with a server can then do so by including an Authorization request
header field with the credentials. 

A client does not itself decide that it wants to send an authenticated request.
It is something the server requires. IMO zypp behaves right.