Hi @jonathan74
Welcome to the Auth0 Community!
Thank you for posting your question. We have an excellent knowledge solution that covers the topic of assigning the roles and permission to the access token → How to Add Roles and Permissions to the ID Token Using Actions
Regarding your code, the event.user.roles is populated if you are using the Authorization Extension; if not, all user roles will be set at the event.authentication.roles level.
Thanks
Dawid