Depending whether you need roles in the client or backend, you’d add them as custom claims to the ID or access token, see similar question:
The user’s roles are available in the context.authorization.roles within Rules.
So you could just add it in the Rule code like this:
context.idToken['https://any-namespace/roles'] = context.authorization.roles;
context.accessToken['https://any-namespace/roles'] = context.authorization.roles;
In case you’re wondering about that namespace URL, see https://auth0.com/docs/tokens/guides/create-namespaced-custom-claims:
By default, Auth0 always enforces namespacing; any custom claims with non-namespaced identifiers will be silently excluded from tokens.
We do allow non-OIDC claims without a namespace for legacy tenants using a non-OIDC-conformant pipeline with the Legacy User Profile enabled, but we strongly recommend that legacy tenants migrate to an OIDC-conformant flow.