Thanks to this topic I found the solution:
function (user, context, callback) {
// This rule adds the authenticated user's roles to the access token.
var namespace = 'https://my-domain.com/';
context.accessToken[namespace + 'roles'] = context.authorization.roles;
callback(null, user, context);
}