Well, that's the usual HTTP authentication workflow. The server responds to a client with a 401 (Unauthorized) response status and provides information on how to authorize with a WWW-Authenticate response header containing at least one challenge. A client that wants to authenticate itself with a server can then do so by including an Authorization request header field with the credentials. A client does not itself decide that it wants to send an authenticated request. It is something the server requires. IMO zypp behaves right.