Let your questions take turns.
From what I understand, everything should be processed using SSL, but with Backbonejs you cannot just say that the login page should be accessible using HTTPS, since Backbone is a one-page framework. So will it make me use HTTPS through the app?
Well, there is a lot to unpack. Start with SSL / HTTPS. HTTPS is a protocol; in other words, it determines how you send packets to / from the server. It has nothing to do with whether your application is single or multi-page; any type of site can use HTTP or HTTPS.
Now, to put it, sending login information (or anything else that contains passwords) via HTTP is a very bad idea, because it is very easy for “bad people” to steal your users passwords. Thus, whether you are using a single-page or multi-page application, you should always use HTTPS when you submit login information. Since this is a pain that should support both HTTP and HTTPS, and since other data that is not included in the system can also be sensitive, many people prefer to simply fulfill all their requests via HTTPS (but you don’t have to).
So, to answer your real question, Backbone does not force you to use HTTPS for your login at all; protecting user passwords forces you.
In the next step, the REST server validates the credentials and they are approved, then the REST server sends the access token to the access client. Is this token stored (on the client side) in local storage or in a cookie?
Although any given structure can do it differently, the vast majority use cookies to save the token locally. For various reasons, they are the best tool for this kind of thing.
There is also a login stored on the server, so that the REST server can log the user out after a certain amount of time?
You have a basic correct idea, but the server doesn’t exactly store the login ... this is more like the server registering the user and creating a “session”. It gives this session an identifier, and then whenever the user enters a new request, the session identifier comes with the request (since this works with cookies). The server can then say, “Oh, this is Bob’s session” and serve the appropriate content for Bob.
Now the client sends this access token along with another request, so that the server can identify the client and approve the request or not. So the access token is also stored on the REST server?
If you use two separate servers, they are not going to worry; you have to make them talk to each other. For this reason, your life will be easier if you can just have one (possibly REST-ful) server for your entire application. If you cannot, then your REST server will have to ask your other server “hey, tell me about the SESSION session ID” every time it receives a request.
Finally, is that what smart people call "oauth", or is it related to it?
The view, it seems, is not quite. OAuth is an authorization standard, so it is related to tangent, but if your login system does not include a whole separate server, you have no reason to use it. You can use OAuth to solve your "two servers, one problem with REST-ful one not", but this is likely to be excessive (and no matter what, this is beyond what I can explain in this article. )
Hope this helps.