diff --git a/apps/emqx/src/emqx_hocon.erl b/apps/emqx/src/emqx_hocon.erl
index 09503e6fe..08192e9be 100644
--- a/apps/emqx/src/emqx_hocon.erl
+++ b/apps/emqx/src/emqx_hocon.erl
@@ -119,8 +119,8 @@ compact_errors(SchemaModule, [Error0 | More], _Stacktrace) when is_map(Error0) -
         end,
     {error, Error};
 compact_errors(SchemaModule, Error, Stacktrace) ->
-    %% unexpected, we need the stacktrace reported, hence error
-    %% if this happens i'ts a bug in hocon_tconf
+    %% unexpected, we need the stacktrace reported
+    %% if this happens it's a bug in hocon_tconf
     {error, #{
         schema_module => SchemaModule,
         exception => Error,
diff --git a/apps/emqx_authn/src/emqx_authn.erl b/apps/emqx_authn/src/emqx_authn.erl
index 8bda0c3a1..15efeb673 100644
--- a/apps/emqx_authn/src/emqx_authn.erl
+++ b/apps/emqx_authn/src/emqx_authn.erl
@@ -20,7 +20,6 @@
     providers/0,
     check_config/1,
     check_config/2,
-    check_configs/1,
     %% for telemetry information
     get_enabled_authns/0
 ]).
@@ -39,16 +38,6 @@ providers() ->
         {{scram, built_in_database}, emqx_enhanced_authn_scram_mnesia}
     ].
 
-check_configs(CM) when is_map(CM) ->
-    check_configs([CM]);
-check_configs(CL) ->
-    check_configs(CL, 1).
-
-check_configs([], _Nth) ->
-    [];
-check_configs([Config | Configs], Nth) ->
-    [check_config(Config, #{id_for_log => Nth}) | check_configs(Configs, Nth + 1)].
-
 check_config(Config) ->
     check_config(Config, #{}).
 
@@ -67,14 +56,20 @@ do_check_config(#{<<"mechanism">> := Mec0} = Config, Opts) ->
         end,
     case lists:keyfind(Key, 1, providers()) of
         false ->
-            throw(#{error => unknown_authn_provider, which => Key});
+            Reason =
+                case Key of
+                    {M, B} ->
+                        #{mechanism => M, backend => B};
+                    M ->
+                        #{mechanism => M}
+                end,
+            throw(Reason#{error => unknown_authn_provider});
         {_, ProviderModule} ->
             do_check_config_maybe_throw(ProviderModule, Config, Opts)
     end;
-do_check_config(Config, Opts) when is_map(Config) ->
+do_check_config(Config, _Opts) when is_map(Config) ->
     throw(#{
         error => invalid_config,
-        which => maps:get(id_for_log, Opts, unknown),
         reason => "mechanism_field_required"
     }).
 
diff --git a/apps/emqx_authn/src/emqx_authn_app.erl b/apps/emqx_authn/src/emqx_authn_app.erl
index c94aec75d..44fec2363 100644
--- a/apps/emqx_authn/src/emqx_authn_app.erl
+++ b/apps/emqx_authn/src/emqx_authn_app.erl
@@ -55,8 +55,7 @@ stop(_State) ->
 initialize() ->
     ok = ?AUTHN:register_providers(emqx_authn:providers()),
     lists:foreach(
-        fun({ChainName, RawAuthConfigs}) ->
-            AuthConfig = emqx_authn:check_configs(RawAuthConfigs),
+        fun({ChainName, AuthConfig}) ->
             ?AUTHN:initialize_authentication(
                 ChainName,
                 AuthConfig
@@ -73,12 +72,12 @@ chain_configs() ->
     [global_chain_config() | listener_chain_configs()].
 
 global_chain_config() ->
-    {?GLOBAL, emqx:get_raw_config([?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_BINARY], [])}.
+    {?GLOBAL, emqx:get_config([?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_BINARY], [])}.
 
 listener_chain_configs() ->
     lists:map(
         fun({ListenerID, _}) ->
-            {ListenerID, emqx:get_raw_config(auth_config_path(ListenerID), [])}
+            {ListenerID, emqx:get_config(auth_config_path(ListenerID), [])}
         end,
         emqx_listeners:list()
     ).
diff --git a/apps/emqx_authn/test/emqx_authn_SUITE.erl b/apps/emqx_authn/test/emqx_authn_SUITE.erl
index b30d2fcff..4f96ca2dd 100644
--- a/apps/emqx_authn/test/emqx_authn_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_SUITE.erl
@@ -168,6 +168,38 @@ t_password_undefined(Config) when is_list(Config) ->
     end,
     ok.
 
+t_union_selector_errors({init, Config}) ->
+    Config;
+t_union_selector_errors({'end', _Config}) ->
+    ok;
+t_union_selector_errors(Config) when is_list(Config) ->
+    Conf0 = #{
+        <<"mechanism">> => <<"password_based">>,
+        <<"backend">> => <<"mysql">>
+    },
+    Conf1 = Conf0#{<<"mechanism">> => <<"unknown-atom-xx">>},
+    ?assertThrow(#{error := unknown_mechanism}, emqx_authn:check_config(Conf1)),
+    Conf2 = Conf0#{<<"backend">> => <<"unknown-atom-xx">>},
+    ?assertThrow(#{error := unknown_backend}, emqx_authn:check_config(Conf2)),
+    Conf3 = Conf0#{<<"backend">> => <<"unknown">>, <<"mechanism">> => <<"unknown">>},
+    ?assertThrow(
+        #{
+            error := unknown_authn_provider,
+            backend := unknown,
+            mechanism := unknown
+        },
+        emqx_authn:check_config(Conf3)
+    ),
+    Res = catch (emqx_authn:check_config(#{<<"mechanism">> => <<"unknown">>})),
+    ?assertEqual(
+        #{
+            error => unknown_authn_provider,
+            mechanism => unknown
+        },
+        Res
+    ),
+    ok.
+
 parse(Bytes) ->
     {ok, Frame, <<>>, {none, _}} = emqx_frame:parse(Bytes),
     Frame.