Metadata attributes are normalized to the root user profile before rules execution - this is why they show up on successive logins, but not during the first login. You can achieve this by doing the following inside your rule, after you have set the metadata:
user.roles = user.app_metadata.roles;
This will return the roles claim on first login as well.