diff --git a/.env.dev b/.env.dev
index 4f5f4232a..800acde04 100644
--- a/.env.dev
+++ b/.env.dev
@@ -91,8 +91,6 @@ OAUTH2_AUTH_URL=http://localhost:8083/o/authorize
 OAUTH2_TOKEN_URL=http://wagtail:8000/o/token/
 OAUTH2_CALLBACK_URL=http://localhost:3000/client/authn/oauth2-provider/callback
 OAUTH2_INTROSPECTION_URL=http://wagtail:8000/o/introspect/
-OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE=true
-OAUTH2_INTROSPECTION_SUB_KEY=userId
 OAUTH2_USER_PROFILE_URL=http://wagtail:8000/profile
 
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c5a2f187..aeb1f9b4e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,14 +10,7 @@
 - Stop using environment variable `LAYMAN_GS_ROLE_SERVICE`, it has no effect to Layman anymore. Layman now uses [role service](doc/security.md#role-service) identified by new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI). The service is called `layman_role_service` on GeoServer.
 - Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI)
 - If you are using Wagtail as OAuth2 provider
-  - Set new environment variable [OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE](doc/env-settings.md#OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE):
-    ```
-    OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE=true
-    ```  
-  - Change environment variable [OAUTH2_INTROSPECTION_SUB_KEY](doc/env-settings.md#OAUTH2_INTROSPECTION_SUB_KEY):
-    ```
-    OAUTH2_INTROSPECTION_SUB_KEY=userId
-    ```
+  - Stop using environment variable `OAUTH2_INTROSPECTION_SUB_KEY`, it has no effect to Layman anymore. OAuth2 subject (also known as "sub") is taken from `userId` key of [OAUTH2_USER_PROFILE_URL](#OAUTH2_USER_PROFILE_URL).
   - After running `make upgrade-demo` or `make-upgrade-demo-full`, run also script `v1_23_change_oauth2_sub_username_to_user_id.py`:
     ```bash
     docker compose -f docker-compose.deps.demo.yml -f docker-compose.demo.yml run --rm --no-deps -u root -e LAYMAN_WAGTAIL_DB_URI=<URI_of_Wagtail_db> layman bash -c "cd src && python3 -B v1_23_change_oauth2_sub_username_to_user_id.py"
diff --git a/doc/env-settings.md b/doc/env-settings.md
index b9795e75b..ea0844ebc 100644
--- a/doc/env-settings.md
+++ b/doc/env-settings.md
@@ -84,12 +84,6 @@ URL of LTC OAuth2 callback endpoint to be called after successful OAuth2 authori
 ### OAUTH2_INTROSPECTION_URL
 URL of OAuth2 Introspection endpoint.
 
-### OAUTH2_INTROSPECTION_SUB_KEY
-Name of the key in OAuth2 introspection response whose value is OAuth2 subject (also known as "sub"). Value `userId` is suitable for Wagtail (together with setting [OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE](#OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE) to `true`). If not set or set to empty string, `sub` is used, that is suitable option for Liferay.
-
-### OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE
-Set to `true` if you want [OAUTH2_INTROSPECTION_SUB_KEY](#OAUTH2_INTROSPECTION_SUB_KEY) to be read from [OAUTH2_USER_PROFILE_URL](#OAUTH2_USER_PROFILE_URL) instead of [OAUTH2_INTROSPECTION_URL](#OAUTH2_INTROSPECTION_URL). Default value is `false`. Value `true` is suitable for Wagtail.
-
 ### OAUTH2_USER_PROFILE_URL
 URL of User Profile endpoint used to obtain user's ID, name, email, etc.
 
diff --git a/src/layman_settings.py b/src/layman_settings.py
index 3ec3515bf..49c955ab0 100644
--- a/src/layman_settings.py
+++ b/src/layman_settings.py
@@ -214,9 +214,9 @@ class EnumWfsWmsStatus(Enum):
     if len(u) > 0
 ]
 OAUTH2_INTROSPECTION_URL = os.getenv('OAUTH2_INTROSPECTION_URL', None)
-OAUTH2_INTROSPECTION_SUB_KEY = os.getenv('OAUTH2_INTROSPECTION_SUB_KEY') or 'sub'
+OAUTH2_INTROSPECTION_SUB_KEY = 'userId'
 OAUTH2_USER_PROFILE_URL = os.getenv('OAUTH2_USER_PROFILE_URL', None)
-OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE = os.getenv('OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE', 'false') == 'true'
+OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE = True
 OAUTH2_CLIENTS = [
     d for d in read_clients_dict_from_env()
     if len(d['id']) > 0
diff --git a/test_tools/mock/oauth2_provider/app.py b/test_tools/mock/oauth2_provider/app.py
index 59d7d3b69..250738caf 100644
--- a/test_tools/mock/oauth2_provider/app.py
+++ b/test_tools/mock/oauth2_provider/app.py
@@ -14,7 +14,7 @@ def create_app(app_config):
             tok2prof = {}
             tok2prof.update(token_2_profile)
             u_idx = 30000
-            for username, userdef in value.items():
+            for user_id, (username, userdef) in enumerate(value.items()):
                 sub = userdef.get('sub') if userdef and userdef.get('sub') else f'{u_idx}'
                 assert sub not in [
                     introsp['sub'] for introsp in tok2is.values()
@@ -28,7 +28,7 @@ def create_app(app_config):
                     "lastName": f"{username}",
                     "middleName": "",
                     "screenName": f"{username}",
-                    "userId": sub,
+                    "userId": user_id,
                 }
                 if userdef:
                     tok2prof[username].update(userdef)