Assuming a user is authorizing through an organization, the org_id should be present in the ID/Access token(s) returned - Please see this article for more details.
Regarding roles specifically, we recommend setting up an Action to add these as a custom claim to tokens: