When you click the step 1 button you are opening a popup window to a page on our site. You send us a callback URL. The callback URL is a Joomla administrator URL for a special link in Akeeba Backup. More on that later.
The page on our site simply issues a redirection to Microsoft's authentication server. This step is required because the redirection uses the secret key we are not allowed to distribute in Akeeba Backup.
After you complete the authentication Microsoft redirects you back to a page on our site which displays the token. The button there is a simple form which posts the access and refresh token to the callback URL. The callback URL simply runs a small piece of JavaScript which finds the opener window, finds the correct fields in the Configuration page and changes their value.
Considering that pasting the tokens manually returned a 403 it tells me that there is something hosting-related which doesn't like the format of the OneDrive tokens (they are base64-encoded). This seems to be also killing your Joomla session which explains both problems.
You are the second person to report this the last week. I have tested this with every server I have in my disposal. It works fine. Therefore it's most definitely a server configuration issue. If I were to make an educated guess I'd say it's a mod_security2 rule getting in your way. Your host should be able to look at the error log and determine which rule to disable – or give you the .htaccess code to do that.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!