Studying Google's implementations indicates that their hosted CalDav service uses somewhat standard OAuth.
It is still somewhat "custom" because nobody else uses OAuth with Caldav. I shall work on a good design for integrating this in a way that doesn't special-case google all over the place, and that clean design will likely be the largest time sink for this.
This is milestone 8
Our first-class citizen design path should be: https://www.rfc-editor.org/rfc/rfc8414